Update NSS to 3.41

1 files changed, 13 insertions, 3 deletions

diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
index fa8f1851e..145dcff9a 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -2914,7 +2914,8 @@ PKIX_PL_Cert_CheckValidity(
         requiredUsages = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
         allowOverride =
             (PRBool)((requiredUsages & certificateUsageSSLServer) ||
-                     (requiredUsages & certificateUsageSSLServerWithStepUp));
+                     (requiredUsages & certificateUsageSSLServerWithStepUp) ||
+                     (requiredUsages & certificateUsageIPsec));
         val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride);
         if (val != secCertTimeValid){
                 PKIX_ERROR(PKIX_CERTCHECKCERTVALIDTIMESFAILED);
@@ -3001,8 +3002,17 @@ PKIX_PL_Cert_VerifyCertAndKeyType(
     if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) {
         PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);
     }
-    if (!(certType & requiredCertType)) {
-        PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+    if (certUsage != certUsageIPsec) {
+        if (!(certType & requiredCertType)) {
+            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+        }
+    } else {
+        PRBool isCritical;
+        PRBool allowed = cert_EKUAllowsIPsecIKE(cert->nssCert, &isCritical);
+        /* If the extension isn't critical, we allow any EKU value. */
+        if (isCritical && !allowed) {
+            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+        }
     }
 cleanup:
     PKIX_DECREF(basicConstraints);